I was thinking just now about possible ways to prevent your site from falling over. One of the ways I thought about that would probably be fairly simple to implement is a 404 block. The idea is that you take a block of addresses that are guaranteed to return a 404 from Drupal, and have Nginx return a 404 before it passed to php, let alone your pi's downstream of Nginx.
From my quick testing, anything longer 1 path segment, unless it starts with /blog would qualify. For any URL starting with /blog longer then 3 path segments should also return a 404 without getting passed downstream. You could also see if the segment after /blog falls outside of the range of years that you had your site setup. There are some other rules that you could set up as well, but that should at least give you an idea. I am sure there are some tradeoffs you can make here in terms of performance, but I will leave that challenge up to you.
Note: I looked into this after writing that, and it appears that detecting a URL longer then a certain depth is not as easy as I thought. It may be possible to do that via an extension or using LUA, but I don't know if it would be worth the effort.
The theory I have here is that by providing less area for an attacker to hit Drupal, and therefore your database, you can protect against an attacker trying to cache bust your server and cause CPU load, as well as prevent unnecessary requests over your pi's 4g connection, potentially saving you money.
I was thinking just now about possible ways to prevent your site from falling over. One of the ways I thought about that would probably be fairly simple to implement is a 404 block. The idea is that you take a block of addresses that are guaranteed to return a 404 from Drupal, and have Nginx return a 404 before it passed to php, let alone your pi's downstream of Nginx.
From my quick testing, anything longer 1 path segment, unless it starts with
/blogwould qualify. For any URL starting with/bloglonger then 3 path segments should also return a 404 without getting passed downstream. You could also see if the segment after/blogfalls outside of the range of years that you had your site setup. There are some other rules that you could set up as well, but that should at least give you an idea. I am sure there are some tradeoffs you can make here in terms of performance, but I will leave that challenge up to you.Note: I looked into this after writing that, and it appears that detecting a URL longer then a certain depth is not as easy as I thought. It may be possible to do that via an extension or using LUA, but I don't know if it would be worth the effort.
The theory I have here is that by providing less area for an attacker to hit Drupal, and therefore your database, you can protect against an attacker trying to cache bust your server and cause CPU load, as well as prevent unnecessary requests over your pi's 4g connection, potentially saving you money.